Gluing together Proof Environments: 
Canonical extensions of 
LF Type Theories featuring Locks * 


Furio Honsell 

Department of Mathematics and Computer Science 
University of Udine, Italy 

furio.honsellOuniud.it 


Luigi Liquori 

Inria Sophia Antipolis Mediterranee, France 
luigi.liquoriOinria.fr 


Petar Maksimovic 

Inria Rennes Bretagne Atlantique, France 

Mathematical Institute of the Serbian Academy 
of Sciences and Arts, Serbia 

petar.maksimovic@inria.fr 


Department of Mathematics and Computer Science 
University of Udine, Italy 
ivan.scagnetto@uniud.it 


Ivan Scagnetto 


We present two extensions of the LF Constructive Type Theory featuring monadic locks. A lock 
is a monadic type construct that captures the effect of an external call to an oracle. Such calls 
are the basic tool for gluing together diverse Type Theories and proof development environments. 

The oracle can be invoked either to check that a constraint holds or to provide a suitable witness. 

The systems are presented in the canonical style developed by the CMU School. The first system, 
CLLF^a, is the canonical version of the system LLF.ja, presented earlier by the authors. The second 
system, CLLF features the possibility of invoking the oracle to obtain a witness satisfying a given 
constraint. We discuss encodings of Fitch-Prawitz Set theory, call-by-value A-calculi, and systems 
of Light Linear Logic. Finally, we show how to use Fitch-Prawitz Set Theory to define a type system 
that types precisely the strongly normalizing terms. 

1 Introduction 

In recent years, the authors have introduced in a series of papers lfl8l fl6l |2l; 20] various extensions of 
the Constructive Type Theory LF, with the goal of defining a simple Universal Meta-language that can 
support the effect of gluing together, i.e. interconnecting, different type systems and proof development 
environments. 

The basic idea underpinning these logical frameworks is to allow for the user to express explicitly, 
in an LF type-theoretic framework the invocation, and uniform recording of the effect, of external tools 
by means of a new monadic type-constructor called a lock. More specifically, locks permit to 

express the fact that, in order to obtain a term of a given type, it is necessary to verify, first, a constraint 
£»(r h E M : a), i.e. to produce suitable evidence. No restrictions are enforced on producing such ev¬ 
idence. It can be supplied by calling an external proof search tool or an external oracle, or exploiting 
some other epistemic source, such as diagrams, physical analogies, or explicit computations according to 
the Poincare Principle |3|. Thus, by using lock constructors, one can factor-out the goal, produce pieces 
of evidence using different proof environments and glue them back together, using the unlock operator, 
which releases the locked term in the calling framework. Clearly, the task of checking the validity of 

*The work presented in this paper was partially supported by the Serbian Ministry of Education, Science, and Technological 
Development, projects ON 174026 and III44006. 
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external evidence rests entirely on the external tool. In our framework we limit ourselves to recording in 
the proof term by means of an fA -destructor this recourse to an external tool. 

One of the original contributions of this paper is that we show how locks can delegate to external 
tools not only the task of producing suitable evidence but also that of exhibiting suitable witnesses, to be 
further used in the calling environment. This feature is exhibited by CLLF.y? (see Section[3]l. 

Locks subsume different proof attitudes, such as proof-irrelevant approaches, where one is only inter¬ 
ested in knowing that evidence does exist, or approaches relying on powerful terminating metalanguages. 
Indeed, locks allow for a straightforward accommodation of many different proof cultures within a single 
Logical Framework; which otherwise can be embedded only very deeply J6l[l5l or axiomatically | [22| . 

Differently from our earlier work, we focus in this paper only on systems presented in the canonical 
format introduced by the CMU school l35l [T4l . This format is syntax-directed and produces a unique 
derivation for each derivable judgement. Terms are all in normal form and equality rules are replaced 
by hereditary substitution. We present the systems in canonical form, since this format streamlines the 
proof of adequacy theorems. 

First, we present the very expressive system CLLF y and discuss the relationship to its non-canonical 
counterpart LLF^> in lf20l . where we introduced lock-types following the paradigm of Constructive Type 
Theory {a la Martin-Lof), via introduction, elimination, and equality rules. This paradigm needs to 
be rephrased for the canonical format used here. Introduction rules correspond to type checking rules 
of canonical objects, whereas elimination rules correspond to type synthesis rules of atomic objects. 
Equality rules are rendered via the rules of hereditary substitution. In particular, we introduce a lock 
constructor for building canonical objects St?if a [M\ of type Sfjf a \p\, via the type checking rule ( O-Lock ). 
Correspondingly, we introduce an unlock destructor, and an atomic rule ( O-Unlock ), allowing 

elimination, in the hereditary substitution rules, of the lock-type constructor, under the condition that a 
specific predicate fid is verified, possibly externally, on a judgement: 


r F x A/ <£= p r Fx ./V <^= <7 

YE?.je* a [M\^JZ* a \p\ 


{O-Lock) 


FF z N^O 0>{rP^N^G) 

rh L wg a \A]^p 


( O-Unlock) 


Capitalizing on the monadic nature of the lock constructor, as we did for the systems in f2Tl [20], one can 
use locked terms without necessarily establishing the predicate, provided an outermost lock is present. 
This increases the expressivity of the system, and allows for reasoning under the assumption that the 
verification is successful, as well as for postponing and reducing the number of verifications. The rules 
which make all this work are: 


r,x:T Fs Jf s ^\p] type rh L A^Sff a [r\ p\%f a \A\/x]f t) - 
r L z S?f a [p'] type 


P' 

— {F -Nested-Unlock) 


T,x:z F Z <= J?*\p] r F z A => 

p[%%[A]/x% r = p' M[%%[A)/x)° Tr 


= M' 


{O-Nested-Unlock) 


The {O-Nested-Unlock )-rule is the counterpart of the elimination rule for monads, once we realize that 
the standard destructor of monads (see, e.g., l25l l letT^^ u s . a) x = A in N can be replaced, in our context, 
by N[fdf^\A\/x\. And this holds since the -monad satisfies the property let^ x = M in N —> N if 

x (j F v{N), provided x occurs guarded in N, i.e. within subterms of the appropriate lock-type. The rule 
(F-Nested-Unlock) takes care of elimination at the level of types. 
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:= 0 r,x:c7 

Contexts 


Figure 1: Syntax of CLLF^> 


We proceed then to introduce CLLF Syntactically, it might appear as a minor variation of CLLF./, 
but the lock constructor is used here to express the request for a witness satisfying a given property, which 
is then replaced by the unlock operation. In CLLF^?, the lock acts as a binding operator and the unlock 
as an application. 

To illustrate the expressive power of CLLF^ and CLLF^? we discuss various challenging encodings 
of subtle logical systems, as well as some novel applications. First, we encode in CLLF./ Fitch-Prawitz 
consistent Set-Theory (FPST), as presented in lt30l . and to illustrate its expressive power, we show, by 
way of example, how it can type all strongly normalizing terms. Next, we give signatures in CLLF,/ of 
a strongly normalizing A-calculus and a system of Light Linear Logic [fZl. Finally, in Section R31 we 
show how to encode functions in CLLF^>?. 

The paper is organized as follows: in Section [2] we present the syntax, the type system and the 
metatheory of CLLF^>, whereas CLLF^»? is introduced in Section[3j Section[4]is devoted to the presen¬ 
tation and discussion of case studies. Finally, connections with related work in the literature appear in 
Section 0 


2 The Canonical System CLLF gp 

In this section, we discuss the canonical counterpart of LLF ^ ll20il . i.e. CLLF^», in the style of l35l fl4'l. 
This approach amounts to restricting the language only to terms in long [i i] -normal form. These are the 
normal forms of the original system which arc normal also w.r.t. typed r/ -like expansion rules, namely 
M — >• A x'.o.Mx and M —» if M is atomic. The added value of canonical systems such 

as CLLF // is that one can streamline results of adequacy for encoded systems. Indeed, reductions in 
the meta-language of non-canonical terms reflect only the history of how the proof was developed using 
lemmata. 


2.1 Syntax and Type System for CLLF^ 

The syntax of CLLF,// is presented in Figure 0 The type system for CLLF.// is shown in Figure [2j The 
judgements of CLLF./ are the following: 



E 

sig 

E is a valid signature 


Fi 

r 

r is a valid context in E 

r 

Fr 

K 

K is a kind in F and E 

r 

Fr 

a type 

<7 is a canonical family in F and E 

r 

Fi 

a^K 

K is the kind of the atomic family a in T and E 

r 

Fr 

M <= o 

M is a canonical term of type (Tin F and E 

r 

Fr 

A => a 

(7 is the type of the atomic term A in F and E 
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Valid signatures 
{S-Empty) 


0 sig 
Kind rules 

Fe r 

r I e type 
T,x:C7 F Z K 


E sig Fe K a Dom(E) 
E ,a:K sig 


(, S-Kind) 


( KType) 
(*•«) 


r f z yix:o.k 

Atomic Family rules 
F z r a:K G E 


r Fe a => AT 


(. A-Const ) 


T F z a = 
r Fe M ■ 


Kx[M/x]f a) 


Tlx: ct./Vi 
cr 

= K 


r Fe ocM =$• K 

Canonical Family rules 
r F z a => type 


(A-App) 


TFe a type 
r,x:a Fe t type 


{F-Atom) 
(F-Pi) 


r F z IIx:(T.T type 
r Fe p type r Fe IV 4= 
rF e^t[p] type 

F,x: TF r Jz?<j^[p] type 
r Fe A - 


(F-Lock) 


s,<rl 

F 


P[^[A]/x]f T) _=p' 

rF z ^[p'] type 


E sig Fe cr type c^Dom(E) 
E,c:cr sig 

Context rules 
pff 0 C-Empty ) 

F Z T TF^crtype x^Dom(r) 


{S-Type) 


Fe r,x:cr 

Atomic Object rules 
F L r c:cr £ E 
T Fe c => a 
Fe r x:(7 € r 


(C-Type) 


( OConst) 
( O-Var ) 


TFex^-i 

TFeA =^nx:<7.Ti 
rF E M^(7 Ti [M/x][ ff) = T 


TFv AM: 


r F l A = 
r F Z N ■ 


'-'N,alP\ 

<7 ^(TF Z N ■ 


<?) 


r Fe [A] => 

Canonical Object rules 

rF E A^a 


(O-App) 


( OUnlock ) 


F\- z A^a 
r,x:(J F z M 


(O-Atom) 


(F -Nested -Unlock) 

FxtFe^M^^Ip] 

P[^[A]/x]f T) =p' 


r F z Xx-.o.M <= Ilx:cr.T 
r F z M ^ p T Fe N <;= cr 
r Fe se^ a [M] <= S£^ a [p] 

rFiA^iff a [r] 

M[^[A]/x]f T) _ = M 1 


(O-Abs) 
{O-Lock) 


rFEj^[M']^>'] 

Figure 2: The CLLF^ Type System 


{O-Nested-U nlock) 


The judgements £ sig, and F z T, and T F z K are as in Section 2.1 of |fT9l , whereas the remaining ones 
are peculiar to the canonical style. Informally, the judgment Y F z M -<= a uses a to check the type 
of the canonical term M , while the judgment F F z A => ff uses the type information contained in the 
atomic term A and Y to synthesize a. Predicates ffd in CLLF,^ are defined on judgements of the shape 
Y F z M o. 

There are two rules whose conclusion is the lock constructor But nevertheless, this system 

is still syntax directed : when there are subterms of the form A/ s / a \A in either M' or p', the type checking 
algorithm always tries to apply the (O-Nested -Unlock) rule. If this is not possible, it applies instead the 
(O ■ Lock) rule. 

The type system makes use, in the rules {A-App) and ( F-App ), of the notion of Hereditary Substitu¬ 
tion, which computes the normal form resulting from the substitution of one normal form into another. 
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(a) = a 


(«) =P (g) =P\ A) =P2 A) =P 

(i ocM)~ = p (Ux:a.T)~ = p l ^p 2 {y^ a [x])-= yf a [p] 

Figure 3: Erasure to simple-types 


Substitution in Kinds 


(, y-KType ) 


type [M 0 /x 0 ]* = type 
Substitution in Atomic Families 

(y-F-Const) 


°lM 0 /x 0 } F po = <j' K[M 0 /xv} K po =K' 
(rix:cr.7r)[Mo/xo]p 0 = nx:(7.W' 


(y-K-Pi) 


a [Mo/xoY Po = a' M[M 0 /x 0 ]° = M' 


a[Mo/x 0 ] p o = a 

Substitution in Canonical Families 


(aM)[M 0 /x 0 ]p 0 = a'M' 


(. y-FApp ) 


a[Mo/x 0 ]p 0 = a' , ^ ^ , <7i [M 0 /xo]£ 0 = cr( (7 2 [M 0 /xo]£ 0 = 


ip _ ^7 ( y-F Atom) ^ ^ 

(71 [Mo/x 0 ]p 0 = CT[ Ml [Mo/x 0 ]p 0 = M[ (72 [M)/xo]£ 0 = (72 


a[M 0 /x 0 ]£ 0 = a' 


(FFcC! .( 7 2 )[Mo/x 0 ]p 0 = T\x\c[ .o ' 2 


(y-F-Pi) 


M [ M 0 Ao]p 0 = [c' 2 ] 


(. y-FLock ) 


Figure 4: Hereditary substitution, kinds and families of CLLF^> 

The general form of the hereditary substitution judgement is T[M/x]p = T\ where M is the term being 
substituted, x is the variable being substituted for, T is the term being substituted into, T' is the result of 
the substitution, p is the simple-type of M, and t denotes the syntactic class {e.g. atomic families/object, 
canonical families/objects, etc.) under consideration. We give the rules of the Hereditary Substitution 
in the style of Ifl4l . where the erasure function to simple types is necessary to simplify the proof of 
termination, which we omit. 

The simple-type p of M is obtained via the erasure function of lil4ll (Figure [3]), mapping depen¬ 
dent into simple-types. The rules for Hereditary Substitution are presented in Figures 0] and [5j using 
Barendregt’s hygiene condition. 

Notice that, in the rule ( O-Atom ) of the type system (Figure [2]), the syntactic restriction of the classi¬ 
fier to a atomic ensures that canonical forms are long /3 q -normal forms for the suitable notion of long 
/j T] -normal form, which extends the standard one for lock-types. For one, the judgement x:Tlz:a.a Fj; x <= 
n z:a.a is not derivable, as Hzta.a is not atomic, hence Fj; Ax:(n z:a.a).x <= Ilr:(ns:fl.(z).nz:fl.a is not 
derivable. On the other hand, F^ Ax: (Y\z:.a.a),ky\a.xy 4= Tlx:(nz:a.a).nz:a.a, where a is a family con¬ 
stant of kind Type, is derivable. Analogously, for lock-types, the judgement x: [p] Fj; x A= [p] 
is not derivable, since S£^ a \p\ is not atomic. As a consequence, we have that Fj_ Ax:Jzfv^[p].x <= 
Fix:y^ a [p].[P] is not derivable. However, x:2A^[p] Fj; \^j^ a [x}\ <= y{f.a\P \ is derivable, if 

p is atomic. Hence, the judgment Fj; Ax:JS^ T [p].«S^ T ['^^ 7 [x]] <= llx:«S^ T [p].«S^ T [p] is derivable. 
Note that the unlock constructor takes an atomic term as its main argument, thus avoiding the creation 
of possible 2z?-redexes under substitution. Moreover, since unlocks can only receive locked terms in 
their body, no abstractions can ever arise. In Definition 12. 3 1 we formalize the notion of q -expansion of a 
judgement, together with correspondence theorems between LLF^ and CLLF ^>. 

We present CLLF^ in a fully-typed style, i.e. a la Church, but we could also follow lfT4ll and present 
a version a la Curry, where the canonical forms A x.M and [A] do not carry type information. The 

type rules would then be, e.g.: 













8 


Gluing together Proof Environments: CLLFpa & CLLFp»? 


Substitution in Atomic Objects 

(y O Const) 


c[Mo/x 0 ]p 0 = c 


xo[M Q /xo]p 0 = Mq : po 


(. y-OVarH) 


Xy^XO 


x[Mo/x 0 }p = x 


{,y-OVar) 


A ! [M 0 /x 0 ]° = Ax:p 2 .M; : p 2 ->• p M 2 [M 0 /x 0 E = M' 2 M[ [M' 2 /x)° = M' 


Ai[M 0 /x 0 }° = A; M 2 [M q /x 0 E = 


(A 1 M 2 )[M 0 /x i ,]^=M , :p 
(y-O-App) 


(, y-OApp-H) 


(A l M 2 )[M 0 /xo}° Po =A\Ml L 
°lMo/x 0 ] F po : ex' M[M 0 Ao]g, - M' A[M 0 /x 0 y po = : ^ g ,[p] 

^ a \A\{ M o/xo] 0 Po =Mr.p 

o[M 0 /x 0 ] p =o' M[M 0 /xo]9=M' A[M 0 /x 0 ]°=A' 


[y -O-Unlock-H) 


^ a [A}{M 0 /x 0 }° po =^ a ,[A'} 

Substitution in Canonical Objects 

A[M 0 /xo]° Po =A' A[M 0 /x 0 ]° Po =M':p 

7,( y -°- R ) , r , * 0 i yoRH ) 


[y-O-Unlock) 


M[M 0 /xo]° 


Po 


: M' 


A[Mo/xo]^ 0 = A' 


A[M 0 /x 0 }° 0 =M' 


<*i [Mo/xo} F pa = o[ Mt [Mo/x 0 ]p 0 = M[ M 2 [M 0 /x 0 ]° = M' 
y ^M 2 \[M Q /x 0 } 0 po =y^ a ,[M' 2 \ 

Substitution in Contexts 


Ax:(7.M[Mo/xo]p 0 = kx:o.M‘ 
(y-O-Lock) 


- ( y-o-Abs) 


i M o Ao]p 0 = © 


-Ctxt -Empty) 


x 0 ± x x£ Fv(Mo) r[M 0 /x 0 ]p 0 = T' CT[M 0 /x 0 ]p 0 = o' 
(r,x:<7)[M 0 /x 0 ]p =T',x:o' 


(y -Ctxt-Term) 


Figure 5: Hereditary substitution, objects and contexts of CLLF, 

r,x:a \~zM <= T rbzM^ff r Fj; N •$= T 


(O-Abs) 




[O-Lock) 


rh L Ax.M^=rix:c7.T rF r Jzf/[A] 

This latter syntax is more suitable in implementations because it simplifies the notation. Following fl8l , 
we stick to the typeful syntax because it allows for a more direct comparison with non-canonical sys¬ 
tems. This, however, is technically immaterial. Since judgements in canonical systems have unique 
derivations, one can show by induction on derivations that any provable judgement in the system where 
object terms are a la Curry has a unique type decoration of its object subterms, which turns it into a 
provable judgement in the version a la Church. Vice versa, any provable judgement in the version a 
la Church can forget the types in its object subterms, yielding a provable judgement in the version a la 
Curry. 


2.2 The Metatheory of C L L F ^ 

For lack of space we omit proofs, but these follow the standard patterns in lfl4l[T9l . We start by studying 
the basic properties of hereditary substitution and the type system. First of all, we need to assume that 
the predicates are well-behaved in the sense of fl9l . In the context of canonical systems, this notion 
needs to be rephrased as follows: 

Definition 2.1 (Well-behaved predicates for canonical systems). A finite set of predicates is 

well-behaved if each LP in the set satisfies the following conditions: 

1. Closure under signature and context weakening and permutation: 

(a) If £ and £1 are valid signatures such that ECO, and y(T \~z N -4= a), then y(T N <i= a). 
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(b) If r and A are valid contexts such that FCA and f:P(V hv A 4= cr), then hh(A \- z N F= a). 

2. Closure under hereditary substitution: If FP{F,x'.<j' . Y' hv Nf= a) and F hv N': a', then 

nrr[N’/x} c {ar hzN[N>/x}° &) _^ o[N'/x] F {ar ). 

As canonical systems do not feature reduction, the “classical” third constraint for well-behaved pred¬ 
icates (closure under reduction) is not needed here. Moreover, the second condition (closure under 
substitution) becomes “closure under hereditary substitution”. 

Lemma 2.1 (Decidability of hereditary substitution). 

1. For any T in ,.o/, . ff f6\. and any M, x, and p, it is decidable whether there exists a T' 

such that T[M/x]'p = T' or there is no such T'. 

2. For any M, x, p, and A, it is decidable whether there exists an A', such that A M/x\° p = A 1 , or there 
exist M' and p', such that A[M/x\° p = M': p 1 , or there are no such A' and M'. 

Lemma 2.2 (Head substitution size). If A[Mq/xq\°~ = M:p, then p is a subexpression of px 
Lemma 2.3 (Uniqueness of substitution and synthesis). 

1. It is not possible that A[Mq /xo]° Po = A’ and A[Mq /xf\° po =M:p. 

2. For any T, ifT[M 0 /x 0 ] Po = 7', and 7[M 0 /jt 0 ]p 0 = T", then T' = T". 

3. IfT hv Oi =>■ K, and => K’, then K = K'. 

4. If r hv A =>• a, and T hv A => o’, then a = a’. 

Lemma 2.4 (Composition of hereditary substitution). Let x / xq and x 0 Fv(Mo). Then: 

1. For all T[ in {JC,dP a ,dP,0 a ,0}, ifM 2 [M 0 /x 0 }° 0 =M’ 2 , 7) [M 2 /x\™ = T[, and 7, [M 0 /jco]“ = 7" 
then there exists a T: TI[Mq/xq] Pq = T, and T{'[M' 2 /x\™ 2 = 7. 

2. If M 2 [Mq/' xo] po = M 2 , A ] {M 2 /x} ( > = M: p, and A\[Mo/xo]° po =A, then there exists anM': M[Mq/xq\ 
M', and A [M 2 /x\° p2 = M': p. 

3. IfM 2 [Mo/xo] po = M 2 , A i [M 2 /x]° p , =A, and A\[Mq / xq]° Pq =M: p, then there exists an M': A[Mo/jco]p 0 
M': p, and M[M 2 /x\ p2 = M'. 

Theorem 2.5 (Transitivity). Let £ sig, hv F.Xfgpo, F' and I hv Mo <= Po, and assume that all predicates 
are well-behaved. Then, 

1. There exists a F" ; \Mo/xf ( p[ . = T" and hv F. r". 

2. Ifr,x 0 :p 0 ,T' hv K then there exists a K': [Mq/xo\ P( K = K' and F.T" hv K'. 

3. //T,A'o:p(). 1 7 hv <7 type, then there exists a a': \Mq/xq] f Po g = a' and r,F" hv o' type. 

4. Ifr,xo:po,V hv a type and F.xoipo. I 7 hv M a, then there exist a' and M': [Mq/xq} f P) g = a' 
and [Mo/xo]p 0 M = M' and r,r" hv M' 4= o'. 

Theorem 2.6 (Decidability of typing). If predicates in CLLF^ are decidable, then all of the judgements 
of the system are decidable. 

We can now precisely state the relationship between CLLF ^ and the LLF.^ system of If20l : 

Theorem 2.7 (Soundness). For any predicate S? of CLLF.^, we define a corresponding predicate in 
LLF^ as follows: &{F hj : M : <j) holds if and only if'Y \ a is derivable in LLF,^ and f?(F hv 
M 4= a) holds in CLLF ^. Then, we have: 

1. IfT, sig is derivable in CLLF then T sig is derivable in LLF :>/■ 

2. If hv r is derivable in CLLF^, then hv T is derivable in LLF^. 

3. IfT \-y K is derivable in CLLFy, then F hv K is derivable in LLF.^, 


o<£ 
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4. IfT Fx a =>■ K is derivable in CLLF jz, then Y'r^CX \ K is derivable in LLFy. 

5. IfT \-y a type is derivable in CLLF <y>, then T hv a : type is derivable in LLF $>. 

6. IfT Fx A a is derivable in CLLF^, then FI-j;A : ff « derivable in LLF 

7. IfT Fx M x= a is derivable in CLLF^, then X'AvM : a is derivable in LLF^. 

Vice versa, all LLF ^ judgements in long fir)-normal form (yS 77 -Inf) are derivable in CLLF^. The 
definition of a judgement in jSrj-lnf is based on the following extension of the standard T 7 -rule to the lock 
constructor Xx:o.Mx —? n M and M. 

Definition 2.2. An occurrence q of a constant or a variable in a term of an LLF^ judgement is fully 
applied and unlocked w.r.t. its type or kind YYx p.a \ .J£\{. ..II x n \c> n [a]. .d, where ££\,. .., A£ n are 
vectors of locks, if t, appears only in contexts that are of the form 7/ n [{... (7/\ [E,M\]).. .)M n ], where 
,M n , Y/ ]...., '7/ „ have the same arities of the corresponding vectors of IT’s and locks. 

Definition 2.3 (Judgements in long ft p -normal form). 

1. A term T in a judgement is in fit]-Inf if T is in normal form and every constant and variable 
occurrence in T is fully applied and unlocked w.r.t. its classifier in the judgement. 

2. A judgement is in ftp-Inf if all terms appearing in it are in j 8 r]-lnf. 

Theorem 2.8 (Correspondence). Assume that all predicates in LLF^ are well-behaved, according to 
Definition 2.1 nsi. For any predicate FT* in LLF ^, we define a corresponding predicate in CLLF^> 
with: ^(rhzM^o) holds ifT \-%M <= o is derivable in CLLF and '£(T Fx M : a) holds in LLF .y. 
Then, we have: 

1. IfL sig is in fit] -Inf and is LLF ^-derivable, then £ sig is CLLF ^-derivable. 

2. If\~z r is in ft p -Inf and is LLF ^-derivable, then Fx T is CLLF -derivable. 

3. IfT Fx K is in ft p -Inf and is LLF ^-derivable, then T Fx K is CLLF ^-derivable. 

4. IfT Fx a : K is in ft p -Inf and is LLF ^-derivable, then T Fx (X => K is CLLF ^-derivable. 

5. IfT Fx a:type is in fi i] -Inf and is LLF ^-derivable, then T Fx rr type is CLLF ^-derivable. 

6. IfT hv A : a is in ftp-inf and is LLF derivable, then X F x A => a is CLLF ^-derivable. 

7. If T Fx M : a is in ft p -Inf and is LLF ^-derivable, then T \~z M x= a is CLLF derivable. 

Notice that, by the Correspondence Theorem above, any well-behaved predicate '£ in LLF .-^ in the 
sense of Definition 2.1 fl9l induces a well-behaved predicate in CLLF^». Finally, notice that not all 
LLF.y* judgements have a corresponding jS 77 -Inf. Namely, the judgement x\.5Fff G [p] Fx x : .f£ff a [p] does 
not admit an p -expanded normal form when the predicate ,£ does not hold on N, as the rule ( O-Unlock ) 
can be applied only when the predicate holds. 

3 The Type System CLLF^>? 

The main idea behind CLLF^? (see Figures [hj [Tj and [SjQ is to “empower” the framework of CLLF.y 
by adding to the lock/unlock mechanism the possibility to receive from the external oracle a witness 
satisfying suitable constraints. Thus, we can pave the way for gluing together different proof develop¬ 
ment environments beyond proof irrelevance scenarios. In this context, the lock constructor behaves as 
a binder. The new ( O-Lock ) rule is the following: 

'For lack of space, we present in these figures only the categories and rules of CLLF ^»9 that differ from their CLLF^ 
counterparts. 
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<7,T,p G & a ::= a \Ux:ct.t \ 

M,N G G M ::= A | Xr.O.M \ ^f a [M] 


Figure 6: CLLF^? Syntax — changes w.r.t. CLLF^ 


Canonical Family rules 
T, x: a F z p type 


(F-Lock) 


n-zJ2f^[p] type 

r,y : Th z «if^[p] type 
FF S A^if^[T] 
P[^W/y]f T) -=p' 
rh x-^[p'] type 


(F -Nested -Uni ock) 


Atomic Object rules 

rh z A^^[p] rF £ ;v- 


^(rhriv^a) p[At/x][ CT) _ =p' 
rh E <^f ff [A]=>p' 

Canonical Object rules 
Frc7F z M <= p 

rhl 


( 0-Unlock ) 


( O-Lock ) 


r,y:T F z ^[M] 4= JS?£[p] T F z A ^ JS?£[t] 
P«W/y]f T) - = p' M[%%[A\/y]° x) _ = M' 

r F z ^[M']^^[p'] 

Figure 7: The CLLFType System — changes w.r.t. CLLF 


(O-Nested-Unlock) 


r,x:cT F Z M p 
rF z ^[M]^^[p] 

where the variable x is a placeholder bound in M and p, which will be replaced by the concrete term that 
will be returned by the external oracle call. The intuitive meaning behind the ( O-Lock ) rule is, therefore, 
that of recording the need to delegate to the external oracle the inference of a suitable witness of a given 
type. Indeed, M can be thought of as an “incomplete” term which needs to be completed by an inhabitant 
of a given type a satisfying the constraint &. The actual term, possibly synthesized by the external tool, 
will be “released” in CLLF^?, by the unlock constructor in the ( O-Unlock ) rule as follows: 

rP L A=>&&\p] p[N/x] F {a) _=p' &>(r \-z.N^o) 

r\-z%*[A]^p’ 

The term %]f a \M\ intuitively means that N is precisely the synthesized term satisfying the constraint 
0>{T F z N A= a) that will replace in CLLF/y? all the free occurrences of x in p. This replacement is 
executed in the (5? O-Unlock-H) hereditary substitution rule (Figure [8]). 

Similarly to CLLF^, also in CLLF,^9 it is possible to “postpone” or delay the verification of an 
external predicate in a lock, provided an outermost lock is present. Whence, the synthesis of the actual 
inhabitant N can be delayed, thanks to the ( O-Nested-Unlock ) rule: 

T,y.z\- L Slf a [Af\<=2’f a \p] r F E A=FJS?£[T] p[%%[A}/y] F {% )-=p' M[%%[A\/y]° x) _=M' 

F h; i M '} <= [P'l 

The Metatheory of CLLF^? follows closely that of CLLF.y as far as decidability. We have no correspon¬ 
dence theorem since we did not introduce a non-canonical variant CLLF,^>. This could have been done 
similarly to LLF^. 
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Substitution in Canonical Families 

<*\ [ m q/M F Po = <h' [Mo/x 0 ]p 0 = o' 2 


(. y-FLock) 


^foM]lMo/xo} F Po =J? x %,&] 

Substitution in Atomic Objects 

o[M q /x 0 ] f Po = o' M[M 0 /x 0 ]° po = M' M\ [M'/x]° ff/) _ = M 2 A[M 0 /x 0 ]° Po = [M\] : 2S?£ [p] 


=M 2 : p 


{y-O-Unlock-H) 


Substitution in Canonical Objects 

[A^oAo]p 0 = of [Mo/x 0 ]p 0 = MJ 


(y O-Lock) 


y x %m[M Q ix,] o P0 =y x %,[M[\ 

Figure 8 : CLLF /7 Hereditary Substitution — changes w.r.t. CLLF^> 

4 Case studies 


In this section, we discuss the encodings of a collection of logical systems which illustrate the expressive 
power and the flexibility of CLLF^> and CLLF^?. We discuss Fitch-Prawitz Consistent Set theory, FPST 
OOl . some applications of FPST to normalizing A-calculus, a system of Light Linear Logic in CLLFy, 
and an the encoding of a partial function in CLLF^a?. 

The crucial step in encoding a logical system in CLLF^ or CLLF^>? is to define the predicates 
involved in locks. Predicates defined on closed terms are usually unproblematic. Difficulties arise in 
enforcing the properties of closure under hereditary substitution and closure under signature and context 
extension, when predicates are defined on open terms. To be able to streamline the definition of well- 
behaved predicates we introduce the following: 

Definition 4.1. Given a signature £ let Ax (respectively A£) be the set of LLF ^ terms (respectively 
closed LLF ^ terms) definable using constants from £. A term M has a skeleton in Ax if there exists a 
term N[x \,... ,x„] € Ax, whose free variables (called holes of the skeleton) are in {x\ ,..., x „}, and there 
exist terms Mj,..., M n such that M = N\M\ /x\ ,... ,M n /x n \. 


4.1 Fitch Set Theory a la Prawitz - FPST 

In this section, we present the encoding of a formal system of remarkable logical as well as historical 
significance, namely the system of consistent Naive Set Theory, FPST, introduced by Fitch ifTTll . This 
system was first presented in Natural Deduction style by Prawitz l30l . As Naive Set Theory is inconsis¬ 
tent, to prevent the derivation of inconsistencies from the unrestricted abstraction rule, only normalizable 
deductions arc allowed in FPST. Of course, this side-condition is extremely difficult to capture using 
traditional tools. 

In the present context, instead, we can put to use the machinery of CLLF^> to provide an appropriate 
encoding of FPST where the global normalization constraint is enforced locally by checking the proof- 
object. This encoding beautifully illustrates the bag of tricks that CLLF,/ supports. Checking that a 
proof term is normalizable would be the obvious predicate to use in the corresponding lock-type, but this 
would not be a well-behaved predicate if free variables, i.e. assumptions, are not sterilized. To this end, 
We introduce a distinction between generic judgements, which cannot be directly utilized in arguments, 
but which can be assumed, and apodictic judgements, which are directly involved in proof rules. In order 
to make use of generic judgements, one has to downgrade them to an apodictic one. This is achieved by 
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a suitable coercion function. 

Definition 4.2 (Fitch Prawitz Set Theory, FPST). For the lack of space, here we only give the crucial 
rules for implication and for set-abstraction and the corresponding elimination rules of the full system 
of Fitch (see 13011 ). as presented by Prawitz: 


Ffpst b 
rpFPST^- t B 


(=>/) 


r^FPST^t^A] , 
r hppgj T G Xx.A 


r Pfpst a r Ffpst a d b 

- rF - r - 

1 Pfpst-d 

r Ffpst t e Xx.a ,, . 
rh F Ps T A[rA] 1 j 


The intended meaning of the term XxA is the set {x | A}. In Fitch’s system, FPST, conjunction and 
universal quantification are defined as usual, while negation is defined constructively, but it still allows 
for the usual definitions of disjunction and existential quantification. What makes FPST consistent is 
that not all standard deductions in FPST are legal. Standard deductions are called quasi-deductions in 
FPST. A legal deduction in FPST is defined instead, as a quasi-deduction which is normalizable in the 
standard sense of Natural Deduction, namely it can be transformed in a derivation where all elimination 
rules occur before introductions. 


Definition 4.3 (LLF^» signature Efpst f° r Fitch Prawitz Set Theory). The following constants are intro¬ 
duced: 


o : Type 

T : o -> Type 

V : o -> Type 

lam : (l -> o)-> l 

£ : l -> l -> o 

D : o -> o -> o 


l : Type 

8 : ITA:o. (V(A) -> T(A)) 

A_intro : ITA:l ->o.ITx:l.T(A x) -> T(£ x (lam A)) 
A_elim : ITA:l ->o.ITx:l.T(£ x (lam A))->T(A x) 

D-intro: ITA,B:o.(V(A) -> T (B)) -> (T (A DB)) 

D_elim : nA,B:o.ITx:T(A) .IIy:T(ADB) -> ^ ( F x ^ (A)xT(A 3 B )I T (B)] 


where o is the type of propositions, D and the “membership” predicate £ are the syntactic constructors 
for propositions, lam is the “abstraction” operator for building “sets”, T is the apodictic judgement, V is 
the generic judgement, 8 is the coercion function, and (x,y) denotes the encoding of pairs, whose type 
is denoted by axT, e.g. Au:a -^T->p.uxy:(a^T->p)-tp. The predicate in the lock is defined 
as follows: 


Fitch(rh ZFPST (x,y) <= T(A)xT(A D B)) 

it holds iff x and y have skeletons in Ae fpst , all the holes of which have either type o or are guarded by 
a 8, and hence have type V(A), and, moreover, the proof derived by combining the skeletons of x and y 
is normalizable in the natural sense. Clearly, this predicate is only semi-decidable. 


For lack of space, we do not spell out the rules concerning the other logical operators, because 
they are all straightforward provided we use only the apodictic judgement T(-), but a few remarks are 
mandatory. The notion of normalizable proof is the standard notion used in natural deduction. The 
predicate Fitch is well-behaved because it considers terms only up-to holes in the skeleton, which can 
have type o or are generic judgements. Adequacy for this signature can be achieved in the format of lfl9ll : 


Theorem 4.1 (Adequacy for Fitch-Prawitz Naive Set Theory). IfA \,... ,A n are the atomic formulas oc¬ 
curring in B i,.... B ln .A, then B\.. .B,„ Ffpst A iff there exists a normalizable M such that A 1 :o,..., A n :o, 
Xi:V(Bi),... ,x m :V(B m ) Pr FPST M <J= T(A) (where A, and Bi represent the encodings of respectively, A and 
Bj in CLLF,^, for 1 < i < m). 
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4.2 A Type System for strongly normalizing A-terms 

Fitch-Prawitz Set Theory, FPST, is a rather intriguing, albeit unexplored, set theoretic system. The 
normalizability criterion for accepting a quasi-deduction prevents the derivation of contradictions and 
hence makes the system consistent. Of course, some intuitive rules are not derivable. For instance modus 
ponens does not hold and if t £ Ax. A then we do not have necessarily that A[t/x] holds. Similarly, the 
transitivity property does not hold. However FPST is a very expressive type system which “encom¬ 
passes” many kinds of quantification, provided normalization is preserved and Fitch has shown, see e.g. 
ED, that a large portion of ordinary Mathematics can be carried out in FPST. 

In this subsection, we sketch how to use FPST to define a type system which can type precisely all 
the strongly normalizing A-terms. Namely, we show that in FPST there exists a set A to which belong 
only the strongly normalizing A-terms. We speak of a type system because the proof in FPST that a term 
belongs to A is syntax directed. First we need to be able to define recursive objects in FPST. We adapt, 
to FPST, Prop. 4, Appendix A.l of lfl3ll . originally given by J-Y. Girard for Light Linear Logic, as: 
Theorem 4.2 (Fixpoint). Let A \P.x\ ... ,x n ) be a formula of FPST with an n-ary predicate variable P. 
Then, there exists a formula B o/FPST, such that there exists a normalizable deduction in FPST between 
A[Ax\ ... ,x n .B\x i,... ,x„],xi ... ,x„] andB, and viceversa. 

Proof. Let equality be Leibniz equality, then, assuming n= 1, define A = Az.zbc.By.z = (x,y)&A\(Aw.(w. 
y) £ y),x]. Then (jt,A) £ A is equivalent, in the sense of FPST, to A [(Aw. (w, A) £ A),x]. □ 

Using the Fixpoint Theorem we define first natural numbers, then a concrete representation of the 
terms of A-calculus, say Ao. Using again the Fixed Point Theorem, we define a (representation of) the 
substitution function over terms in Ao and finally the set A, such that x £ A is equivalent in FPST to 
x £ Ao&Vy.y £ Ao C app(x,y) £ A. Here, app(x,y) denotes the concrete representation of “applying” x 
to y. One can derive in FPST that (a representation of) a A-term, say M, belongs to A, only if there is 
a normalizable derivation of M £ A. But then it is straightforward to check that only normalizing terms 
can be typed in FPST with A, i.e. belong to A. There is indeed a natural reflection of the normalizability 
of the FPST derivation of the typing judgement M £ A, and the fact that the term represented by M is 
indeed normalizable! 

4.3 A Normalizing call-by-value A-calculus 

In this section we sketch how to express in CLLF ^ a call-by-value A-calculus where /3-reductions fire 
only if the result is normalizing. 

Definition 4.4 (Normalizing call-by-value A-calculus, E^ N ). 

o : Type Eq : o -> o -> Type app : o -> o -> o 

v : Type var : v -> o lam : (v -> o) -> o 

c_beta : nM:o->o,N:o.Jz^j^ ( 0 - >0 ) xo [Eq (app (lam Ax:v.M(var x)) N) (M N)] 

where the predicate holds on F (M,N) <= (o->o) xo if both M and N have skeletons in Aj\ v 

whose holes are guarded by a var and, moreover, M N “normalizes”, in the intuitive sense, outside terms 

guarded by a var. 

4.4 Elementary Affine Logic 

In this section we give a shallow encoding of Elementary Affine Logic as presented in j2j. This example 
will exemplify how locks can be used to deal with global syntactic constraints as in the promotion rule 
of Elementary Affine Logic. 
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Definition 4.5 (Elementary Affine Logic El), 
rules: 


A\~ealA ^ ^ T ,A\- E alB 

r \~eaF-A A,\A,...,\A\- E alB 
r,A \~eal b 


{Weak) 


(Contr) 


Elementary Affine Logic can be specified by the following 


r, A b ealb 
TI ~eal A—oB 

A\,... ,A„ \~eal A 


( Abst ) 


T \~eal A A b eal A 


>B 


Ti \~eaF-A\ 


r,A b ealb 

■ • • Fn b EAL • A /; 


(■ Appl) 


Ti .. . r „ b eal ! A 


(Pr 


Definition 4.6 (LLF^> signature Y^eal for Elementary Affine Logic). 


o : Type 

T : 

o -> 

c_appl 

ita,b 

: o. 

c_abstr 

ita,b 

: o. 

c_promV_l 

ita,b 

: o. 

c_promV_2 

ITA,B 

: o. 


Type V : 
T (A) -> T (A 


o -> Type 
-o B) -> T(B) 


o -> o 
c_val : 


nx:(T(A) -> T (B)) -> ^tS^Kb) [ T(A 


-> o ! : o -> o 

EfA: o . V (A) -> T ( ! A) 
B)] 


B) ) -> J^ x c “ b) [T(!A) -> V (B)] 

Eo) -> -^:“b)[ t(!A) -> v(B) ] 


Efx: (T (A 
fix: (V (A 

where o is the type of propositions, —o and ! are the obvious syntactic constructors, T is the basic judge¬ 
ment, and V(-) is an auxiliary judgement. The predicates involved in the locks are defined as follows: 


• Light (r \~y. eal x b= T(A) —> T(B)) holds iff if A is not of the shape !A then the bound variable of x 
occurs at most once in the normal form of x. 

• Closed(T \~t. eal x <= T(A)) holds iff the skeleton of x contains only free variables of type o, Ae.no 
variables of type T(B), for any B : o. 

A few remarks are mandatory. The promotion rule in El is in effect a family of natural deduction 
rules with a growing number of assumptions. Our encoding achieves this via the auxiliary judgement 
V(-), the effect of which is self-explanatory. Adequacy for this signature can be achieved only in the 
format of lfT9l . namely: 

Theorem 4.3 (Adequacy for Elementary Affine Logic), if A \.... ,A n are the atomic formulas occurring 
in then B\ ... B m \~eal A iff there exists M and Ap.o,... ,A n :o,xp. T(Bi),... ,x m :T(B m ) bj; £Ai 

M <b= T(A) (where A, and Bi represent the encodings of respectively, A and Bj in CLLF,a, for 1 < i < m) 
and all variables xi.. .x m occurring more than once in M have type of the shape TfB-j = Ti'.Cffor some 
suitable formula C/. 

The check on the context of the Adequacy Theorem is external to the system LLF,.^, but this is in the 
nature of results which relate internal and external concepts. For example, the very concept of LLF y 
context, which appears in any adequacy result, is external to LLF^. Of course, this check is internalized 
if the term is closed. 


4.5 Square roots of natural numbers in CLLF^? 

It is well-known that logical frameworks based on Constructive Type Theory do not permit definitions 
of non-terminating functions (i.e., all the functions one can encode in such frameworks are total). One 
interesting example of CLLF^? system is the possibility of reasoning about partial functions by dele¬ 
gating their computation to external oracles, and getting back their possible outputs, via the lock-unlock 
mechanism of CLLF.^?. 

For instance, we can encode natural numbers and compute their square roots by means of the follow¬ 
ing signature ((x,y) denotes the encoding of pairs, whose type is denoted by oxt, and f st and snd are 
the first and second projections, respectively): 

nat: type 0: nat S: nat->nat plus : nat->nat->nat 
mult : nat->nat->nat sqroot: nat->nat 

sqrt : ]Tx:nat.jSf y s ff[ xc7 [(eval (sqroot x) (fst y))] 


minus : nat->nat->nat 
eval : nat->nat->type 
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where eval represents the usual evaluation predicate, the variable y is a pair and 

(7 = (eval (plus (minus x (mult z z)) (minus (mult z z) x) □)) 
and SQRT(Y y <= nat x a) holds if and only if the first projection of y is the minimum number N such 
that (x — N * N) + (N * N — x) = 0, where + and * are represented by plus and mult, while — (represented 
by minus in our signature) is defined as follows: 



Ajx-y if x > y 
1 0 otherwise 


Thus, the specification of sqroot is not explicit in CLLF^?, since it is implicit in the definition of SQRT. 


5 Related work 

Building a universal framework with the aim of “gluing” different tools and formalisms together is a long 
standing goal that has been extensively explored in the inspiring work on Logical Frameworks by 0 [27, 
[35]13T[ !? 3[23[28[ 29 17]. Moreover, the appealing monadic structure and properties of the lock/unlock 
mechanism go back to Moggi’s notion of computational monads l25l . Indeed, our system can be seen 
as a generalization to a family of dependent lax operators of Moggi’s partial A-calculus lf24l and of 
the work carried out in (Sj [23] (which is also the original source of the term “lax”). A correspondence 
between lax modalities and monads in functional programming was pointed out in Ql [12] ■ On the other 
hand, although the connection between constraints and monads in logic programming was considered 
in the past, e.g., in mo nnn, to our knowledge, our systems arc the first attempt to establish a clear 
correspondence between side conditions and monads in a higher-order dependent-type theory and in 
logical frameworks. Of course, there are a lot of interesting points of contact with other systems in the 
literature which should be explored. For instance, in ll26l . the authors introduce a contextual modal logic, 
where the notion of context is rendered by means of monadic constructs. We only point out that, as we 
did in our system, they could have also simplified their system by doing away with the let construct in 
favor of a deeper substitution. Schroder-Heister has discussed in a number of papers, see e.g. 13311321 . 
various restrictions and side conditions on rules and on the nature of assumptions that one can add to 
logical systems to prevent the arising of paradoxes. There are some potential connections between his 
work and ours. It would be interesting to compare his requirements on side conditions being “closed 
under substitution” to our notion of well-heliaved predicate. Similarly, there are commonalities between 
his distinction between specific and unspecific variables, and our treatment of free variables in well- 
behaved predicates. LFSC, presented in OH, is more reminiscent of our approach as “it extends LF 
to allow side conditions to be expressed using a simple first-order functional programming language”. 
Indeed, the author factors the verifications of side-conditions out of the main proof. The task is delegated 
to the type checker, which runs the code associated with the side-condition, verifying that it yields the 
expected output. The proposed machinery is focused on providing improvements for SMT solvers. 
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